Security Incidents mailing list archives
Strange scans - inquisitive question
From: paul.rogers () MIS-CDS COM (Paul Rogers)
Date: Fri, 9 Jun 2000 10:46:21 +0100
Hi, Last night we received some strange scans with a source port of 21 (ftp) and a destination port of 7 (echo). The destination address was always the network address. I was just wondering if anyone else had seen these scans or whether anyone knew what they were looking for. The scans were performed over TCP (protocol 6) and UDP (protocol 17). I have a theory that the 64.79.80.26 (pm001-026.dialup.bignet.net) may be the dialup account of the scanner and the rest of the hosts are compromised systems being used by himself / herself, and the scan from the bignet.net system was an accident. If anyone can shed any light, it would be greatly appreciated because I'm now very interested to discover what they were trying to achieve. Snippets of the logs are below: 24.165.238.133 (RRCentralFlorida-165.238.133.cfl.rr.com) - duration of 32 minutes Jun 8 04:32:32 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17 24.165.238.133:21 xxx.xxx.8.0:7 L=93 S=0x00 I=10061 F=0x4000 T=243 (#67) Jun 8 04:32:32 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=6 24.165.238.133:21 xxx.xxx.8.0:7 L=105 S=0x00 I=10063 F=0x4000 T=243 SYN (#67) 193.226.98.26 (dnt-gw.dnttm.ro) - duration of 5 minutes (note - source port is random) Jun 8 15:16:43 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17 193.226.98.26:58001 xxx.xxx.8.0:7 L=1027 S=0x00 I=5275 F=0x0000 T=239 (#67) 64.79.80.26 (pm001-026.dialup.bignet.net) - duration of 4 minutes Jun 8 20:05:38 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=6 64.79.80.26:21 xxx.xxx.8.0:7 L=105 S=0x00 I=26126 F=0x4000 T=243 SYN (#68) Jun 8 20:05:38 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17 64.79.80.26:21 xxx.xxx.8.0:7 L=93 S=0x00 I=26127 F=0x4000 T=243 (#68) 140.174.186.2 (televolve-T1-gw.san-francisco.best.net) - duration of 4 hours 30 minutes Jun 9 00:00:50 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=17 140.174.186.2:21 xxx.xxx.8.0:7 L=93 S=0x00 I=46897 F=0x4000 T=243 (#68) Jun 9 00:00:50 xxxxxxx kernel: Packet log: input DENY eth2 PROTO=6 140.174.186.2:21 xxx.xxx.8.0:7 L=105 S=0x00 I=46896 F=0x4000 T=243 SYN (#68) Many thanks, Paul Rogers, Network Security Analyst. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723422 (Direct Line) +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/ ********************************************************************** The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee. If you are not the addressee any disclosure, reproduction, distribution or other dissemination or use of this communications is strictly prohibited. The views expressed in this e-mail are those of the individual and not necessarily of MIS Corporate Defense Solutions Ltd. Any prices quoted are only valid if followed up by a formal written quote. If you have received this transmission in error, please contact our Security Manager on 44 (0) 1622 723400. **********************************************************************
Current thread:
- Re: Microsoft version.binding us now?, (continued)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
- Scan of the Week continued Lance Spitzner (Jun 03)
- very strange scan patterns Joe H (Jun 05)
- Re: very strange scan patterns John Kristoff (Jun 05)
- Sub-7 Khan, Mansoor (Jun 05)
- Re: Sub-7 James Stevenson (Jun 08)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)
- Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- What is this guy doing? Josh Burroughs (Jun 05)
- Re: What is this guy doing? Sebastien Reister (Jun 08)
- AW: What is this guy doing? Peter Roth (Jun 08)
- Port 6347 Dante Mercurio (Jun 08)
- Re: Port 6347 Brian Macke (Jun 08)
- Re: Port 6347 Henry F. Marquardt (Jun 09)
- Re: What is this guy doing? Greg A. Woods (Jun 08)
- Port-scans from visited web-sites? Peter Bates (Jun 07)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)